UNIT -III SIEM aur baato kaise hai aap log.pdf
hefagi6193
10 views
80 slides
Aug 04, 2024
Slide 1 of 80
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
About This Presentation
Surface-enhanced infrared absorption (SEIRA) microscopy is a powerful analytical technique used for enhancing the infrared absorption signals of molecules adsorbed on nanostructured metal surfaces. This method, a variant of the more widely known surface-enhanced Raman scattering (SERS), leverages th...
Slide Content
UNIT –III
Security Information and Event Management
Security Information and Event Management
Security Information and Event Management
(SIEM)
•Securityinformationandeventmanagement(SIEM)is
•anapproachtosecuritymanagementthatcombines
•securityinformationmanagement(SIM)andsecurityeventmanagement(SEM)
functionsintoonesecuritymanagementsystem.
•TheunderlyingprinciplesofeverySIEMsystemare
•toaggregaterelevantdatafrommultiplesources,
•identifydeviationsfromthenormandtakeappropriateaction.
•Forexample,
•whenapotentialissueisdetected,aSIEMsystemmightlogadditional
information,generateanalertandinstructothersecuritycontrolstostopan
activity'sprogress.
(SIEM)
•Securityinformationandeventmanagement(SIEM)is
•anapproachtosecuritymanagementthatcombines
•securityinformationmanagement(SIM)andsecurityeventmanagement(SEM)
functionsintoonesecuritymanagementsystem.
•TheunderlyingprinciplesofeverySIEMsystemare
•toaggregaterelevantdatafrommultiplesources,
•identifydeviationsfromthenormandtakeappropriateaction.
•Forexample,
•whenapotentialissueisdetected,aSIEMsystemmightlogadditional
information,generateanalertandinstructothersecuritycontrolstostopan
activity'sprogress.
Contd..
•PaymentCardIndustryDataSecurityStandardcompliance
originallydroveSIEMadoptioninlargeenterprises,but
•concernsoveradvancedpersistentthreatshaveledsmaller
organizationstolookatthebenefitsSIEMtoolscanofferaswell.
•ASIEMsystemcanberules-basedoremployastatisticalcorrelation
enginetomakeconnectionsbetweeneventlogentries.
•AdvancedSIEMsystemshaveevolvedtoincludeuserandentity
behavioranalytics(UEBA),aswellassecurityorchestration,
automationandresponse(SOAR).
•PaymentCardIndustryDataSecurityStandardcompliance
originallydroveSIEMadoptioninlargeenterprises,but
•concernsoveradvancedpersistentthreatshaveledsmaller
organizationstolookatthebenefitsSIEMtoolscanofferaswell.
•ASIEMsystemcanberules-basedoremployastatisticalcorrelation
enginetomakeconnectionsbetweeneventlogentries.
•AdvancedSIEMsystemshaveevolvedtoincludeuserandentity
behavioranalytics(UEBA),aswellassecurityorchestration,
automationandresponse(SOAR).
Contd..
•SIEMsystemsworkbydeployingmultiplecollectionagentsina
hierarchicalmannertogathersecurity-relatedevents
•fromend-userdevices,serversandnetworkequipment,
•aswellasspecializedsecurityequipment,suchas
•firewalls,antivirusprogramsorintrusionpreventionsystems(IPSes).
•Thecollectorsforwardeventstoacentralizedmanagementconsole,
•SIEMsystemsworkbydeployingmultiplecollectionagentsina
hierarchicalmannertogathersecurity-relatedevents
•fromend-userdevices,serversandnetworkequipment,
•aswellasspecializedsecurityequipment,suchas
•firewalls,antivirusprogramsorintrusionpreventionsystems(IPSes).
•Thecollectorsforwardeventstoacentralizedmanagementconsole,
Why do we need SIEM?
•Riseindatabreachesduetoaninternalandexternalthreats
•Attackersaresmartandtraditionalsecuritytoolsjustdon’tsuffice
•Mitigatesophisticatedcyber-attacks
•Manageincreasingvolumeoflogsfrommultiplesources
•Meetstringentcompliancerequirements.
•Riseindatabreachesduetoaninternalandexternalthreats
•Attackersaresmartandtraditionalsecuritytoolsjustdon’tsuffice
•Mitigatesophisticatedcyber-attacks
•Manageincreasingvolumeoflogsfrommultiplesources
•Meetstringentcompliancerequirements.
Collection
Aggregation
Parsing
Normalization and Categorization
Enrichment
Correlation Rules and Alert
Indexing
Storage
SIEM Architecture: QRADAR
Logrhythm
Alien Vault
Deployment
Contd..
Deployment Options
•SIEM can be deployed in any of the following ways:
•Self Hosted-Self managed
•Self Hosted-MSSP managed Self Hosted-Jointly managed
•Cloud-MSSP managed
•Cloud-Jointly managed
•Cloud-Self managed
•SIEM can be deployed in any of the following ways:
•Self Hosted-Self managed
•Self Hosted-MSSP managed Self Hosted-Jointly managed
•Cloud-MSSP managed
•Cloud-Jointly managed
•Cloud-Self managed
SIEM Solutions
•A list of vendors that provide SIEM solutions:
•HP ArchSight
•RSA Security Analytics
•IBM QRADAR
•AlienVault OSSIM
•Splunk
•SOAR
•EDR
•UEBA
•A list of vendors that provide SIEM solutions:
•HP ArchSight
•RSA Security Analytics
•IBM QRADAR
•AlienVault OSSIM
•Splunk
•SOAR
•EDR
•UEBA
SIEM vs. Log management
•BothSecurityInformationandEventManagement(SIEM)
andlogmanagementsoftwareusethelogfileoreventlogto
improvesecurityby
•reducingtheattacksurface,
•identifyingthreatsandimprovingresponsetimeintheeventofa
securityincident.
•However,thekeydifferenceisthat
•theSIEMsystemisbuiltwithsecurityasitsprimaryfunction,
whereas
•logmanagementsystemscanbeusedmorebroadlytomanage
resources,troubleshootnetworkorapplicationoutagesand
maintaincompliance.
•BothSecurityInformationandEventManagement(SIEM)
andlogmanagementsoftwareusethelogfileoreventlogto
improvesecurityby
•reducingtheattacksurface,
•identifyingthreatsandimprovingresponsetimeintheeventofa
securityincident.
•However,thekeydifferenceisthat
•theSIEMsystemisbuiltwithsecurityasitsprimaryfunction,
whereas
•logmanagementsystemscanbeusedmorebroadlytomanage
resources,troubleshootnetworkorapplicationoutagesand
maintaincompliance.
UNIT -IV: Computer security Log Management
Log Management
•What are Logs?
•Historical record of events that happened.
•Records events and status of systems in a time sequential format.
•Record of activity on the system/network.
•Provide an audit trail of who done what, where, when and why (5Wh)
•Audit records
•Transaction logs
•Intrusion alerts
•Connection logs
•System Performance records
•User activity logs
•Various alerts and other messages
30
•What are Logs?
•Historical record of events that happened.
•Records events and status of systems in a time sequential format.
•Record of activity on the system/network.
•Provide an audit trail of who done what, where, when and why (5Wh)
•Audit records
•Transaction logs
•Intrusion alerts
•Connection logs
•System Performance records
•User activity logs
•Various alerts and other messages
30
Log Data Overview
What Logs?
•Audit records
•Transaction logs
•Intrusion alerts
•Connection logs
•System Performance records
•User activity logs
•Various alerts and other messages
31
From Where?
•Firewall/ Intrusion prevention
•Routers/Switches
•Servers, Desktops, Mainframes
•Business applications
•Databases
•Antivirus
•VPN
•Proxies
What Logs?
•Audit records
•Transaction logs
•Intrusion alerts
•Connection logs
•System Performance records
•User activity logs
•Various alerts and other messages
31
From Where?
•Firewall/ Intrusion prevention
•Routers/Switches
•Servers, Desktops, Mainframes
•Business applications
•Databases
•Antivirus
•VPN
•Proxies
32
Why are logs important?
•Logs can assist us in
•Determining what happened –Audit trail
•Intrusion detection
•Incident containment
•Forensics analysis
•Proactive protection
•Real time alerts
•Providing a network baseline
•Determining the health of the network
•Troubleshooting issues
•Proactive maintenance
33
•Logs can assist us in
•Determining what happened –Audit trail
•Intrusion detection
•Incident containment
•Forensics analysis
•Proactive protection
•Real time alerts
•Providing a network baseline
•Determining the health of the network
•Troubleshooting issues
•Proactive maintenance
33
Why are Logs Important
•Logs are everywhere;
•Operating Systems
•Applications
•Device Logs
•Routers
•Firewalls
•IDS
•Switches
•All this information should be making our jobs easier.
34
•Logs are everywhere;
•Operating Systems
•Applications
•Device Logs
•Routers
•Firewalls
•IDS
•Switches
•All this information should be making our jobs easier.
34
Monitoring as part of Security Process
35
35
Typical Network
36
36
Security Log Analysis: Why
•Situational awarenessand new threat discovery
•Unique perspective from combined logs
•Getting more value out of the network and security infrastructures
•Get more that you paid for!
•Measuring security (metrics, trends, etc)
•Tracking what the users do
•Incidents response (last, but not least)
37
•Situational awarenessand new threat discovery
•Unique perspective from combined logs
•Getting more value out of the network and security infrastructures
•Get more that you paid for!
•Measuring security (metrics, trends, etc)
•Tracking what the users do
•Incidents response (last, but not least)
37
Log Analysis Basics: How
•Manual
•Tail, more, etc
•Filtering
•Positive and negative (Artificial ignorance)
•Summarizationand reports
•Simple visualization
•“…..worth a thousand words?“
•Correlation
•Rule-based and other
38
•Manual
•Tail, more, etc
•Filtering
•Positive and negative (Artificial ignorance)
•Summarizationand reports
•Simple visualization
•“…..worth a thousand words?“
•Correlation
•Rule-based and other
38
From Log Analysis to Log Management
39
39
Why Log Management? Logs Beyond Security
•Threat protection and discovery
•Regulatory compliance
•InternalPoliciesand procedure compliance
•Internal and external audit support
•Incidentsresponse
•Forensics, “ e-discovery” and Litigation support
•IT system and network troubleshooting
•IT performance management
40
•Threat protection and discovery
•Regulatory compliance
•InternalPoliciesand procedure compliance
•Internal and external audit support
•Incidentsresponse
•Forensics, “ e-discovery” and Litigation support
•IT system and network troubleshooting
•IT performance management
40
From Compliance to Logging Standards
•Log Transmission
•Syslog (TCP/UDP port 514)
•Log format
•Syslog, “a non-standard”
•IDMEF, a failed standard
•Logcontents
•No standard to speak of: logs = trash can –people dump what they want (or:
don’t want!) there
41
•Log Transmission
•Syslog (TCP/UDP port 514)
•Log format
•Syslog, “a non-standard”
•IDMEF, a failed standard
•Logcontents
•No standard to speak of: logs = trash can –people dump what they want (or:
don’t want!) there
41
Why Logging standards?
•Common language so that people and others systems understand
what is in the logs
•Easier to report on logs and explain the reports
•Deeper insight into future problems as indicated by the log data
•Easier systeminteroperability (thus, reduced cost and complexity)
•Common logging practices simplify audits and compliance
42
•Common language so that people and others systems understand
what is in the logs
•Easier to report on logs and explain the reports
•Deeper insight into future problems as indicated by the log data
•Easier systeminteroperability (thus, reduced cost and complexity)
•Common logging practices simplify audits and compliance
42
Computer Security Log Management: Logs
•NIST800-92isintroducingcomputersecuritylogmanagement
•“Alogisarecordoftheeventsoccurringwithinanorganization’s
systemsandnetworks”.
•“Withinanorganization,manylogscontainrecordsrelatedto
computersecurity;commonexamplesofthesecomputersecurity
logsare
•auditlogsthattrackuserauthenticationattemptsand
•securitydevicelogsthatrecordpossibleattacks.”
•Thisguideaddressesonlythoselogsthat
•typicallycontaincomputersecurity-relatedinformation
43
•NIST800-92isintroducingcomputersecuritylogmanagement
•“Alogisarecordoftheeventsoccurringwithinanorganization’s
systemsandnetworks”.
•“Withinanorganization,manylogscontainrecordsrelatedto
computersecurity;commonexamplesofthesecomputersecurity
logsare
•auditlogsthattrackuserauthenticationattemptsand
•securitydevicelogsthatrecordpossibleattacks.”
•Thisguideaddressesonlythoselogsthat
•typicallycontaincomputersecurity-relatedinformation
43
Computer Security Log Management: Process
•Security log management is the process for
•Generating,
•Transmitting,
•Storing,
•Analyzing, and
•Disposing Of computer security log data
44
•Security log management is the process for
•Generating,
•Transmitting,
•Storing,
•Analyzing, and
•Disposing Of computer security log data
44
The Need for Log Management
•Ithelpstoensurethatcomputersecurityrecordsarestoredinsufficient
detailforanappropriateperiodoftime.
•Routinelogreviewsandanalysisarebeneficialfor
•identifyingsecurityincidents,
•policyviolations,
•fraudulentactivity,and
•Operationalproblemsshortlyaftertheyhaveoccurred,and
•forprovidinginformationusefulforresolvingsuchproblems.
•Logscanalsobeusefulfor
•Performingauditingandforensicanalysis,
•Supportingtheorganization’sinternalinvestigations,
•Establishingbaselines,and
•Identifyingoperationaltrendsand
•Longtermproblems.
45
•Ithelpstoensurethatcomputersecurityrecordsarestoredinsufficient
detailforanappropriateperiodoftime.
•Routinelogreviewsandanalysisarebeneficialfor
•identifyingsecurityincidents,
•policyviolations,
•fraudulentactivity,and
•Operationalproblemsshortlyaftertheyhaveoccurred,and
•forprovidinginformationusefulforresolvingsuchproblems.
•Logscanalsobeusefulfor
•Performingauditingandforensicanalysis,
•Supportingtheorganization’sinternalinvestigations,
•Establishingbaselines,and
•Identifyingoperationaltrendsand
•Longtermproblems.
45
Contd..
•Besidestheinherentbenefitsoflogmanagement,
•anumberoflawsandregulationsfurthercompelorganizations
•tostoreandreviewcertainlogs.
•Thefollowingisalistingofkeyregulations,standards,andguidelinesthat
helpdefineorganizations’needsforlogmanagement:
•FederalInformationSecurityManagementActof2002(FISMA).
•EmphasizestheneedforeachFederalagencytodevelop,document,andimplement
anorganization-wideprogram
•toprovideinformationsecurityfortheinformationsystemsthatsupportitsoperationsand
assets.
•NISTSP800-53,RecommendedSecurityControlsforFederalInformationSystems,
wasdevelopedinsupportofFISMA.
•Itdescribesseveralcontrolsrelatedtologmanagement,including
•thegeneration,review,protection,andretentionofauditrecords,
•aswellastheactionstobetakenbecauseofauditfailure.
46
•Besidestheinherentbenefitsoflogmanagement,
•anumberoflawsandregulationsfurthercompelorganizations
•tostoreandreviewcertainlogs.
•Thefollowingisalistingofkeyregulations,standards,andguidelinesthat
helpdefineorganizations’needsforlogmanagement:
•FederalInformationSecurityManagementActof2002(FISMA).
•EmphasizestheneedforeachFederalagencytodevelop,document,andimplement
anorganization-wideprogram
•toprovideinformationsecurityfortheinformationsystemsthatsupportitsoperationsand
assets.
•NISTSP800-53,RecommendedSecurityControlsforFederalInformationSystems,
wasdevelopedinsupportofFISMA.
•Itdescribesseveralcontrolsrelatedtologmanagement,including
•thegeneration,review,protection,andretentionofauditrecords,
•aswellastheactionstobetakenbecauseofauditfailure.
46
Contd..
•Gramm-Leach-Bliley Act (GLBA).
•GLBA requires financial institutions to protect
•their customers’ information against security threats.
•Log management can be helpful
•in identifying possible security violations and resolving them
effectively.
47
•Gramm-Leach-Bliley Act (GLBA).
•GLBA requires financial institutions to protect
•their customers’ information against security threats.
•Log management can be helpful
•in identifying possible security violations and resolving them
effectively.
47
Contd..
•HealthInsurancePortabilityandAccountabilityAct
of1996(HIPAA).
•Includessecuritystandardsforcertainhealthinformation.
•NISTSP800-66,AnIntroductoryResourceGuidefor
•ImplementingtheHealthInsurancePortabilityand
AccountabilityAct(HIPAA)SecurityRule,listsHIPAA-relatedlog
managementneeds.
•Forexample,NISTSP800-66describestheneed
•toperformregularreviewsofauditlogsandaccessreports.
48
•HealthInsurancePortabilityandAccountabilityAct
of1996(HIPAA).
•Includessecuritystandardsforcertainhealthinformation.
•NISTSP800-66,AnIntroductoryResourceGuidefor
•ImplementingtheHealthInsurancePortabilityand
AccountabilityAct(HIPAA)SecurityRule,listsHIPAA-relatedlog
managementneeds.
•Forexample,NISTSP800-66describestheneed
•toperformregularreviewsofauditlogsandaccessreports.
48
Contd..
•Sarbanes-Oxley Act (SOX) of 2002.
•Applies primarily to financial and accounting practices,
•It also encompasses the information technology (IT) functions that
•support these practices.
•SOX can be supported by reviewing logs regularly
•To look for signs of security violations, including
•Exploitation, as well as retaining logs and
•Records of log reviews for future review by auditors.
49
•Sarbanes-Oxley Act (SOX) of 2002.
•Applies primarily to financial and accounting practices,
•It also encompasses the information technology (IT) functions that
•support these practices.
•SOX can be supported by reviewing logs regularly
•To look for signs of security violations, including
•Exploitation, as well as retaining logs and
•Records of log reviews for future review by auditors.
49
Contd..
•Payment Card Industry Data Security Standard (PCI DSS).
•PCI DSS applies to organizations that
•“store, process or transmit cardholder data” for credit cards.
•One of the requirements of PCI DSS is to
•“track…all access to network resources and cardholder data”.
50
•Payment Card Industry Data Security Standard (PCI DSS).
•PCI DSS applies to organizations that
•“store, process or transmit cardholder data” for credit cards.
•One of the requirements of PCI DSS is to
•“track…all access to network resources and cardholder data”.
50
The Challenges in Log Management
•First, there are several potential problems with the initial generation
of logs because of their variety and prevalence.
•Second, the confidentiality, integrity, and availability of generated
logs could be breached inadvertently or intentionally.
•Finally, thepeople responsible for performing log analysis are often
inadequately prepared and supported
51
•First, there are several potential problems with the initial generation
of logs because of their variety and prevalence.
•Second, the confidentiality, integrity, and availability of generated
logs could be breached inadvertently or intentionally.
•Finally, thepeople responsible for performing log analysis are often
inadequately prepared and supported
51
Log Generation and Storage-Challenge
•Many Log Sources
•Logs are located on many hosts throughout the organization,
•Log management to be performed throughout the organization.
•A single log source can generate multiple logs—for example,
•an application storing authentication attempts in one log and
•network activity in another log.
•Inconsistent Log Content
•Each log source records certain pieces of information in its log entries, such as host
IP addresses and usernames.
•For efficiency, log sourcesoften record only the pieces of information that they
consider most important.
•This can make it difficult to link events recorded by different log sources because
•they may not have any common values recorded
•e.g.,
•source 1 records the source IP address but not the username, and
•source 2 records the username but not the source IP address).
52
•Many Log Sources
•Logs are located on many hosts throughout the organization,
•Log management to be performed throughout the organization.
•A single log source can generate multiple logs—for example,
•an application storing authentication attempts in one log and
•network activity in another log.
•Inconsistent Log Content
•Each log source records certain pieces of information in its log entries, such as host
IP addresses and usernames.
•For efficiency, log sourcesoften record only the pieces of information that they
consider most important.
•This can make it difficult to link events recorded by different log sources because
•they may not have any common values recorded
•e.g.,
•source 1 records the source IP address but not the username, and
•source 2 records the username but not the source IP address).
52
Log Generation and Storage-Challenge
•Inconsistent Timestamps
•Each host that generates logs typically references
•its internal clock when setting a timestamp for each log entry.
•If a host’s clock is inaccurate,
•the timestamps in its logs will also be inaccurate.
•This can make analysis of logs more difficult, particularly
•when logs from multiple hosts are being analyzed.
•Inconsistent Log Formats
•Many of the log source types use different formats for their logs,
•such as
•comma-separated or tab-separated text files,
•databases,
•syslog,
•Simple Network Management Protocol (SNMP),
•Extensible Markup Language (XML), and
•binary files
53
•Inconsistent Timestamps
•Each host that generates logs typically references
•its internal clock when setting a timestamp for each log entry.
•If a host’s clock is inaccurate,
•the timestamps in its logs will also be inaccurate.
•This can make analysis of logs more difficult, particularly
•when logs from multiple hosts are being analyzed.
•Inconsistent Log Formats
•Many of the log source types use different formats for their logs,
•such as
•comma-separated or tab-separated text files,
•databases,
•syslog,
•Simple Network Management Protocol (SNMP),
•Extensible Markup Language (XML), and
•binary files
53
Log Protection-Challenge
•logs contain records of system and network security,
•Need to be protected from breaches of their confidentiality and integrity.
•For example,
•logs might intentionally or inadvertently capture sensitive information such as users’
passwords and the content of e-mails.
•This raises security and privacy concerns involving both the individuals that
•review the logs and others that might be able to access the logs through authorized
or unauthorized means.
•Logs that are secured improperly in storage or in transit might also be
susceptible to intentional and unintentional alteration and destruction.
•This could cause a variety of impacts, including allowing
•malicious activities to go unnoticed and
•manipulating evidence to conceal the identity of a malicious party.
54
•logs contain records of system and network security,
•Need to be protected from breaches of their confidentiality and integrity.
•For example,
•logs might intentionally or inadvertently capture sensitive information such as users’
passwords and the content of e-mails.
•This raises security and privacy concerns involving both the individuals that
•review the logs and others that might be able to access the logs through authorized
or unauthorized means.
•Logs that are secured improperly in storage or in transit might also be
susceptible to intentional and unintentional alteration and destruction.
•This could cause a variety of impacts, including allowing
•malicious activities to go unnoticed and
•manipulating evidence to conceal the identity of a malicious party.
54
Log Analysis-Challenge
•Network and system administrators have traditionally been
responsible for
•performing log analysis
•studying log entries to identify events of interest.
•Treated as a low-priority task by administrators and management
because
•other duties of administrators, such as handling operational problems and
resolving security vulnerabilities, necessitate rapid responses.
•Administrators who are responsible for performing log analysis
•often receive no training on doing it efficiently and effectively,
•particularly on prioritization.
55
•Network and system administrators have traditionally been
responsible for
•performing log analysis
•studying log entries to identify events of interest.
•Treated as a low-priority task by administrators and management
because
•other duties of administrators, such as handling operational problems and
resolving security vulnerabilities, necessitate rapid responses.
•Administrators who are responsible for performing log analysis
•often receive no training on doing it efficiently and effectively,
•particularly on prioritization.
55
Meeting the Challenges
•Prioritize log management appropriately throughout the
organization
•Define requirements and goals for performing logging and monitoring logs
to include
•applicable laws, regulations, and existing organizational policies.
•Establish policies and procedures for log management
•Ensure a consistent approach throughout the organization as well as
ensuring that laws and regulatory requirements are being met.
56
•Prioritize log management appropriately throughout the
organization
•Define requirements and goals for performing logging and monitoring logs
to include
•applicable laws, regulations, and existing organizational policies.
•Establish policies and procedures for log management
•Ensure a consistent approach throughout the organization as well as
ensuring that laws and regulatory requirements are being met.
56
Contd..
•Create and maintain a secure log management infrastructure
•To create components of a log management infrastructure and determine
how these components interact.
•This aids in preserving
•the integrity of log data from accidental or
•intentional modification or deletion, and
•also in maintaining the confidentiality of log data.
•Provide adequate support for all staff with log management
responsibilities
•Provide the necessary training to relevant staff regarding their log
management responsibilities
•Skill instruction for the needed resources to support log management.
57
•Create and maintain a secure log management infrastructure
•To create components of a log management infrastructure and determine
how these components interact.
•This aids in preserving
•the integrity of log data from accidental or
•intentional modification or deletion, and
•also in maintaining the confidentiality of log data.
•Provide adequate support for all staff with log management
responsibilities
•Provide the necessary training to relevant staff regarding their log
management responsibilities
•Skill instruction for the needed resources to support log management.
57
Log Management Infrastructure-Architecture
•Log Management infrastructure typically comprises following three
Tiers of Architecture
•Log Generation
•The first tier contains the hosts that generate the log data.
•Log Analysis and Storage
•The second tier is composed of one or more log servers that receive
•log data or copies of log data from the hosts in the first tier.
•The data is transferred to the servers either in
•a real-time or near-real-time manner, or
•in occasional batches based on a schedule or
•The amount of log data waiting to be transferred.
•Log Monitoring
•The third tier contains consoles that may be used
•to monitor and review log data and
•the results of automated analysis.
•Log monitoring consoles can also be used to generate reports.
•In some log management infrastructures, consoles can also be used
•to provide management for the log servers and clients.
58
•Log Management infrastructure typically comprises following three
Tiers of Architecture
•Log Generation
•The first tier contains the hosts that generate the log data.
•Log Analysis and Storage
•The second tier is composed of one or more log servers that receive
•log data or copies of log data from the hosts in the first tier.
•The data is transferred to the servers either in
•a real-time or near-real-time manner, or
•in occasional batches based on a schedule or
•The amount of log data waiting to be transferred.
•Log Monitoring
•The third tier contains consoles that may be used
•to monitor and review log data and
•the results of automated analysis.
•Log monitoring consoles can also be used to generate reports.
•In some log management infrastructures, consoles can also be used
•to provide management for the log servers and clients.
58
Log Management Infrastructure-Function
General Log
•Parsing
•Filtering
•Aggregation
Storage Log
•Rotation
•Archival
•Compression
•Reduction
•Conversion
59
General Log
•Parsing
•Filtering
•Aggregation
Storage Log
•Rotation
•Archival
•Compression
•Reduction
•Conversion
59
Log Management Infrastructure-Function
60
•Normalization
•Integrity Checking
Analysis
•Event Correlation
•Viewing
•Reporting
Disposal
•Clearing
60
•Normalization
•Integrity Checking
Analysis
•Event Correlation
•Viewing
•Reporting
Disposal
•Clearing
Log Management Planning
•To establish and maintainsuccessful
log management infrastructures, an
organization should
•Perform significant planning
•other preparatory actions for
performing log management.
•Important for creating
•consistent, reliable, and efficientlog
management practices that
•meet the organization’s needs and
requirements and
•also provide additional value for the
organization.
61
•To establish and maintainsuccessful
log management infrastructures, an
organization should
•Perform significant planning
•other preparatory actions for
performing log management.
•Important for creating
•consistent, reliable, and efficientlog
management practices that
•meet the organization’s needs and
requirements and
•also provide additional value for the
organization.
61
DefineRolesandResponsibilities.
•Definetherolesandresponsibilitiesofindividuals
•Teamswhoareexpectedtobeinvolvedinlogmanagement.
•Teamsandindividualrolesofteninvolvedinlogmanagement
includethefollowing:
•SystemandNetworkadmins-configuringloggingonindividual
systemnetworkdevices,analysis,reporting,andperformingregular
maintenanceofthelogsandloggingsoftware
•Securityadmins-managingandmonitoringthelogmanagement
infrastructures,configuringloggingonsecuritydevices(E.g.
firewalls,network-basedIDS,antivirusservers),reportingonthe
resultsoflogmanagementactivitiesandassistingotherswith
configuringloggingandperformingloganalysis.
62
•Definetherolesandresponsibilitiesofindividuals
•Teamswhoareexpectedtobeinvolvedinlogmanagement.
•Teamsandindividualrolesofteninvolvedinlogmanagement
includethefollowing:
•SystemandNetworkadmins-configuringloggingonindividual
systemnetworkdevices,analysis,reporting,andperformingregular
maintenanceofthelogsandloggingsoftware
•Securityadmins-managingandmonitoringthelogmanagement
infrastructures,configuringloggingonsecuritydevices(E.g.
firewalls,network-basedIDS,antivirusservers),reportingonthe
resultsoflogmanagementactivitiesandassistingotherswith
configuringloggingandperformingloganalysis.
62
Contd..
•CSIRTs-who use log data when handling some incidents
•Application developers-need to design or customize applications
so that they perform logging in accordance with the logging
requirements and recommendations
•ISOs and CSOs-oversee the log management infrastructures
•CIOs-oversee the IT resources that generate, transmit, and store
the logs
•Auditors-use log data when performing audits
•All Software buyers-generate computer security log data.
63
•CSIRTs-who use log data when handling some incidents
•Application developers-need to design or customize applications
so that they perform logging in accordance with the logging
requirements and recommendations
•ISOs and CSOs-oversee the log management infrastructures
•CIOs-oversee the IT resources that generate, transmit, and store
the logs
•Auditors-use log data when performing audits
•All Software buyers-generate computer security log data.
63
Contd..
•To ensure that log management at the system level is
•performed effectively throughout the organization,
•The administrators of those systems need to receive
•adequate support from the organization.
•Assuming that the system-level administrators have typical
responsibilities
•An organization’s support for them should encompass the following
actions:
•Disseminating information and providing training on the roles that individual
system and their administrators play in
•the log management infrastructure
64
•To ensure that log management at the system level is
•performed effectively throughout the organization,
•The administrators of those systems need to receive
•adequate support from the organization.
•Assuming that the system-level administrators have typical
responsibilities
•An organization’s support for them should encompass the following
actions:
•Disseminating information and providing training on the roles that individual
system and their administrators play in
•the log management infrastructure
64
Contd..
•Providing points of contact who can answer administrators’
questions on logging
•Encouraging administrators to submit their lessons learned,
and providing a mechanism to disseminate their ideas
•e.g., mailing list, internal Web forum, workshop
•Providing specific technical guidance on integrating system
log datawith the log management infrastructure, such as
•implementing SIEM agents or
•establishing local syslog implementations
65
•Providing points of contact who can answer administrators’
questions on logging
•Encouraging administrators to submit their lessons learned,
and providing a mechanism to disseminate their ideas
•e.g., mailing list, internal Web forum, workshop
•Providing specific technical guidance on integrating system
log datawith the log management infrastructure, such as
•implementing SIEM agents or
•establishing local syslog implementations
65
Contd..
•Considering establishing a test environment for logging. The
organization could test various configurations for
•common logging sources,
•document recommendations and Instructions, and
•disseminate them to administrators for their use.
•This information should help them
•configure their logging more effectively and consistently, and also save them
time.
•Making tools such as log rotation scripts and log analysis software
available to administrators, along with documentation.
•Organizations should consider implementing these
•in a test environment and
•documenting recommendations and instructions for using them.
66
•Considering establishing a test environment for logging. The
organization could test various configurations for
•common logging sources,
•document recommendations and Instructions, and
•disseminate them to administrators for their use.
•This information should help them
•configure their logging more effectively and consistently, and also save them
time.
•Making tools such as log rotation scripts and log analysis software
available to administrators, along with documentation.
•Organizations should consider implementing these
•in a test environment and
•documenting recommendations and instructions for using them.
66
67
What is a Log Message?
•A log message is something generated by some device or system
•to denote that something has happened.
•Basic contents for a log message are the following:
•Timestamp.
•Source.
•Data
•It doesn’t matter if the message is sent via
•Syslog,
•written to Microsoft’s Event Log or
•stored in a database.
68
•A log message is something generated by some device or system
•to denote that something has happened.
•Basic contents for a log message are the following:
•Timestamp.
•Source.
•Data
•It doesn’t matter if the message is sent via
•Syslog,
•written to Microsoft’s Event Log or
•stored in a database.
68
The Logging Ecosystem
•Referred to as a logging infrastructure,
•are all the components and piece parts that come together to allow for the
•generation,
•filtering,
•normalization,
•analysis, and
•Long term storage of log data.
69
•Referred to as a logging infrastructure,
•are all the components and piece parts that come together to allow for the
•generation,
•filtering,
•normalization,
•analysis, and
•Long term storage of log data.
69
Log Message Filtering and Normalization
•Filtering deals with including or excluding (exclusion is sometimes
referred to as “dropping on the floor” or drop) log messages based on
the content in the log message.
•For example, it might be perfectly legitimate to drop Cisco router reboot
messages during normal maintenance windows.
•Normalization is the act of taking disparately formatted log
messages and converting them to a common format.
70
•Filtering deals with including or excluding (exclusion is sometimes
referred to as “dropping on the floor” or drop) log messages based on
the content in the log message.
•For example, it might be perfectly legitimate to drop Cisco router reboot
messages during normal maintenance windows.
•Normalization is the act of taking disparately formatted log
messages and converting them to a common format.
70
Contd..
•A basic scheme is to take a log message’s explicit and implicit priority
•Map it to some common scheme.
•An example is
•Low-Low events are ones that are informational and do not need to
be addressed as they happen.
•Medium-Medium events tend to be things that may need to be
looked at in a timely manner, but not necessarily immediately
•High scale-High priority events are ones that require immediate
intervention.
71
•A basic scheme is to take a log message’s explicit and implicit priority
•Map it to some common scheme.
•An example is
•Low-Low events are ones that are informational and do not need to
be addressed as they happen.
•Medium-Medium events tend to be things that may need to be
looked at in a timely manner, but not necessarily immediately
•High scale-High priority events are ones that require immediate
intervention.
71
How is normalization accomplished?
•The following is a Sourcefire IPS Syslog message:
•Jul 16 10:54:39 SourceFireSFIMS: [1:469:1] ICMP PING NMAP
[Classification: Attempted Information Leak] [Priority: 2] {ICMP}
210.22.215.77 -> 67.126.151.137
72
•The following is a Sourcefire IPS Syslog message:
•Jul 16 10:54:39 SourceFireSFIMS: [1:469:1] ICMP PING NMAP
[Classification: Attempted Information Leak] [Priority: 2] {ICMP}
210.22.215.77 -> 67.126.151.137
72
Contd..
•Normalization is
•Type: Attempted Information Leak
•Timestamp:July 16 2010, 10:54:39
•Priority: High
•Protocol: ICMP
•Source IP Address: 210.22.215.77
•Destination IP address: 67.126.151.137
•Source Port: NULL
•Destination Port: NULL
•Raw log: Jul 16 10:54:39 Source Fire SFIMS: [1:469:1] ICMP PING
NMAP
•[Classification: Attempted Information Leak] [Priority: 2] {ICMP}
•210.22.215.77 -> 67.126.151.137
73
•Normalization is
•Type: Attempted Information Leak
•Timestamp:July 16 2010, 10:54:39
•Priority: High
•Protocol: ICMP
•Source IP Address: 210.22.215.77
•Destination IP address: 67.126.151.137
•Source Port: NULL
•Destination Port: NULL
•Raw log: Jul 16 10:54:39 Source Fire SFIMS: [1:469:1] ICMP PING
NMAP
•[Classification: Attempted Information Leak] [Priority: 2] {ICMP}
•210.22.215.77 -> 67.126.151.137
73
Analyse Log Data
•Effective analysis of log data is often the most challenging aspect of
log management, but is also usually the most important.
•Log analysis is
•the process of reviewing,
•interpreting and
•understand computer-generated records called logs.
74
•Effective analysis of log data is often the most challenging aspect of
log management, but is also usually the most important.
•Log analysis is
•the process of reviewing,
•interpreting and
•understand computer-generated records called logs.
74
Gaining an Understanding of Logs
•The key to performing log analysis is
•understanding the typical activity associated with each system.
•The primary reasons for this are as follows:
•Need for Context-Administrators need to determine how this context
is defined, such as
•through additional log entries in one or more logs, or
•through non-log sources
•e.g., configuration management records).
•Context is needed to validate unreliable log entries,
75
•The key to performing log analysis is
•understanding the typical activity associated with each system.
•The primary reasons for this are as follows:
•Need for Context-Administrators need to determine how this context
is defined, such as
•through additional log entries in one or more logs, or
•through non-log sources
•e.g., configuration management records).
•Context is needed to validate unreliable log entries,
75
Contd..
•Unclear Messages –A log entry might contain a cryptic message or
code that is meaningful
•to the software vendor but not to the administrator reviewing the entry.
•Using SIEM software to analyze logs typically reduces the number of unclear
messages because
•the SIEM software often has detailed knowledge of software vendors’ logging practices.
•However, even SIEM software cannot understand every message, such as
•new message types associated with a just-released update to a product.
76
•Unclear Messages –A log entry might contain a cryptic message or
code that is meaningful
•to the software vendor but not to the administrator reviewing the entry.
•Using SIEM software to analyze logs typically reduces the number of unclear
messages because
•the SIEM software often has detailed knowledge of software vendors’ logging practices.
•However, even SIEM software cannot understand every message, such as
•new message types associated with a just-released update to a product.
76
Prioritizing Log Entries
•Organizations should consider assigning their own priorities to log entries
based on a combination of factors, including the following:
•Entry type (e.g., message code 103, message class CRITICAL)
•Newness of the entry type (i.e., has this type of entry appeared in the logs
before?)
•Log source
•Source or destination IP address (e.g., source address on a blacklist,
destination address of a critical system, previous events involving a
particular IP address)
•Time of day or day of the week (e.g., an entry might be acceptable during
certain times but not permitted during others)
•Frequency of the entry (e.g., x times in y seconds).
77
•Organizations should consider assigning their own priorities to log entries
based on a combination of factors, including the following:
•Entry type (e.g., message code 103, message class CRITICAL)
•Newness of the entry type (i.e., has this type of entry appeared in the logs
before?)
•Log source
•Source or destination IP address (e.g., source address on a blacklist,
destination address of a critical system, previous events involving a
particular IP address)
•Time of day or day of the week (e.g., an entry might be acceptable during
certain times but not permitted during others)
•Frequency of the entry (e.g., x times in y seconds).
77
Comparing System-Level and Infrastructure-
Level Analysis
•Regardless of how much analysis is performed at the infrastructure
level, system-level administrators usually need to perform analysis
for the following types of entries:
•Entries that are of interest or importance at the system level but are not
forwarded to the infrastructure because of their relative priority
•Entries for log sourcesthat cannot automatically participate in the
infrastructure (e.g., unusual proprietary formats, standalone systems, legacy
systems, appliances)
•Entries that cannot be understood without context that is only available at
the system level.
78
Level Analysis
•Regardless of how much analysis is performed at the infrastructure
level, system-level administrators usually need to perform analysis
for the following types of entries:
•Entries that are of interest or importance at the system level but are not
forwarded to the infrastructure because of their relative priority
•Entries for log sourcesthat cannot automatically participate in the
infrastructure (e.g., unusual proprietary formats, standalone systems, legacy
systems, appliances)
•Entries that cannot be understood without context that is only available at
the system level.
78
Contd..
•System-leveladministratorscanusuallyperform
•reviewsandanalysisusingavarietyoftoolsandtechniques.
•Toperformeffectivereviewsandanalysis,system-leveland
infrastructureadministratorsshouldhavesolid
understandingofeachofthefollowingfromtrainingor
hands-onexperience:
•Theorganization’spoliciesregardingacceptableuse,sothat
administratorscanrecognizeviolationsofthepolicies
•Thesecuritysoftwareusedbytheirhosts,includingthetypesof
security-relatedeventsthateachprogramcandetectandthe
generaldetectionprofileofeachprogram(e.g.,knownfalse
positives) 79
•System-leveladministratorscanusuallyperform
•reviewsandanalysisusingavarietyoftoolsandtechniques.
•Toperformeffectivereviewsandanalysis,system-leveland
infrastructureadministratorsshouldhavesolid
understandingofeachofthefollowingfromtrainingor
hands-onexperience:
•Theorganization’spoliciesregardingacceptableuse,sothat
administratorscanrecognizeviolationsofthepolicies
•Thesecuritysoftwareusedbytheirhosts,includingthetypesof
security-relatedeventsthateachprogramcandetectandthe
generaldetectionprofileofeachprogram(e.g.,knownfalse
positives) 79
Contd..
•The operating systems and major applications
•(e.g., e-mail, Web) used by their hosts,
•particularly each OS’s and major application’s security and logging
capabilities and characteristics
•The characteristics of common attack techniques, especially how the
use of these techniques might be recorded on each system
•The software needed to perform analysis, such as
•log viewers,
•log reduction scripts, and
•database query tools.
80
•The operating systems and major applications
•(e.g., e-mail, Web) used by their hosts,
•particularly each OS’s and major application’s security and logging
capabilities and characteristics
•The characteristics of common attack techniques, especially how the
use of these techniques might be recorded on each system
•The software needed to perform analysis, such as
•log viewers,
•log reduction scripts, and
•database query tools.
80
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 10
- Slides 80
- Age 484 days
Related Slideshows
23
Earthquakes_Type of Faults_Science G8.pptx
OctabellFabila1
31 views
15
Quiz #1 Science 10 in the first quarter for jhs
HendrixAntonniAmante
30 views
9
Astronomy history from long ago till doday
ssuserbd9abe
29 views
9
Great history of astronomy from long ago till today
ssuserbd9abe
27 views
20
EARTHQUAKE-DRILL.powerpoint.............
chalobrido8
30 views
9
History of astronomy from old times to the present times
ssuserbd9abe
30 views